A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #11948  by Kafeine
 Sat Mar 03, 2012 8:41 pm
Thanks evild3ad for sharing this. It seems Blackhole serving sinowal are themselves hosted on Sinowal bots.
They are serving the landing page throught fastflux dns domain:
/index.php?tp=001e4bb7b4d7333d
/index.php?tp=16db1e9316b87590
The admin login page is adm.php (nginx reply: 403)
I am wondering if you got this kind of hosting on your node...but maybe specific conditions are required to get the BH EK installed (like accessible tcp 80)

I also noticed some strange files available on Sinowal BH EK. (some looks like configuration file or Grabber)
File : 29651 for instance

Image

... but files e0ca, 97d19, 14095 & 31359 seems not pe too.

I did not found good explanation about that. Any idea anyone ?
Attachments
Data + A video grabber plugin ?
(557.54 KiB) Downloaded 65 times
 #12152  by erikloman
 Fri Mar 16, 2012 6:13 am
HitmanPro 3.6 build 148 removes Sinowal.knf variant. It was tricky to get around the miniport hook and counter the watchdog.

Sinowal.knf was served by the Nuclear Exploit Pack from India through the Dutch NU.nl news site on March 14, 2012 from 11:30 till 13:30.
The NU.nl website is Holland's #6 website in terms of unique visits.

Potentially 100.000+ visitors of NU.nl got infected:
http://www.waarschuwingsdienst.nl/Risic ... lware.html
http://www.volkskrant.nl/vk/nl/2694/Int ... ware.dhtml
http://www.telegraaf.nl/digitaal/117235 ... .nl__.html
 #12185  by rkhunter
 Sat Mar 17, 2012 7:38 am
The SmokeLoader distributed a component known as ‘miniloader’, which downloads the installer component from the Sinowal installer server. On Windows 2000 and Windows XP it will install the MBR bootkit, which is used since the end of 2007 as the method of startup, which is also commonly referred to as Mebroot. ...On Windows Vista and Seven systems the threat would install a userland component but we have not verified this during the nu.nl compromise.
As I understand it not infects MBR at Vista+.
 #12197  by Kafeine
 Sat Mar 17, 2012 12:31 pm
Attached : 36 files found on the BH EK volhoparatel.info.

There are some non PE file (as explained before) and many packed sinowal.
Attachments
(2.48 MiB) Downloaded 77 times
 #12218  by Tanaisius
 Mon Mar 19, 2012 11:42 am
Hello,

Did anyone noticed strange code in recent mebroot samples, look at screenshots attached.
It works in kernel mode and does some manipulations with PCI configurations regs and other i/o ports, any clues what it could be?
Attachments
2.png
2.png (24.43 KiB) Viewed 609 times
1.png
1.png (12.23 KiB) Viewed 609 times
 #12273  by bytejammer
 Thu Mar 22, 2012 10:23 pm
I've been investigating Sinowal.knf recently and stumbled across its watchdog which uses a clever trick to re-infect the MBR when it is being cleaned. The watchdog is able re-infect by performing I/O without calling the miniport's SCSI dispatch. How does the watchdog do this? I'm guessing its copying N instructions of the original SCSI dispatch function (like IdePortDispatch) and jumping N instructions ahead in the original code. But maybe I'm wrong. Does someone have a clue how Sinowal.knf is re-infecting?
 #12321  by Kafeine
 Sat Mar 24, 2012 6:14 pm
On more "raw" extraction of a Blackhole Exploit Kit deploying Sinowal.
vafernatre.in - on ip 216.12.221.139 at the time of extraction.
Attachments
Pass: infected - 52 items. Some not PE Files.
(3.89 MiB) Downloaded 81 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 12